Initial commit

README.install

@@ -0,0 +1,215 @@
+# -----
+# Install Etherpad Lite
+# -----
+
+# Add repository for  node.js 10.x
+#
+curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
+
+# Install nodejs
+#
+apt install -y nodejs
+
+# Create user/group etherpad
+#
+_etherpad_user="etherpad"
+adduser --system --home=/var/www/etherpad/ --group $_etherpad_user
+
+# Become user etherpad
+#
+# Note: its a system account, so you have to provide a shell
+#
+su - etherpad -s /bin/bash
+
+# Get/Install etherpad-lite
+#
+git clone --branch master https://github.com/ether/etherpad-lite.git
+
+# Exit from user etherpad
+#
+exit
+
+# Create systemd service file
+#
+cat <<EOF > /etc/systemd/system/etherpad.service
+[Unit]
+Description=Etherpad-lite, the collaborative editor.
+After=syslog.target network.target
+
+[Service]
+Type=simple
+User=etherpad
+Group=etherpad
+WorkingDirectory=/var/www/etherpad/etherpad-lite
+Environment=NODE_ENV=production
+ExecStart=/usr/bin/nodejs /var/www/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
+Restart=always # use mysql plus a complete settings.json to avoid Service hold-off time over, scheduling restart.
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+
+# Start etherpad-lie at boot time
+#
+systemctl daemon-reload
+systemctl enable etherpad.service
+systemctl start etherpad.service
+
+
+# NGINX as Proxy etherpad
+#
+FQHN="ep-6fwstq-ohv1zato8p.faire-mobilitaet.de"
+HOSTNAME="${FQHN%%.*}"
+
+cat <<EOF > /etc/nginx/sites-available/${FQHN}.conf
+# -- ${FQHN}
+
+
+upstream etherpad-lite {
+   server 127.0.0.1:9001;
+}
+
+server {
+   listen 80;
+   listen [::]:80;
+   server_name ${FQHN};
+   rewrite     ^(.*)   https://\$server_name\$1 permanent;
+}
+
+# we're in the http context here
+map \$http_upgrade \$connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+
+   listen 443 ssl http2;
+   listen [::]:443 ssl http2;
+
+   server_name  ${FQHN};
+
+   # - Needed for (automated) updating certificate
+   # -
+   include snippets/letsencrypt-acme-challenge.conf;
+
+
+   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+   #
+   # To generate a dhparam.pem file, run in a terminal
+   #    openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
+   #
+   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+
+   # Eable session resumption to improve https performance
+   ssl_session_cache shared:SSL:50m;
+   ssl_session_timeout 10m;
+   ssl_session_tickets off;
+
+
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
+   # Everything better than SHA1 (deprecated)
+   #
+   ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
+   ssl_prefer_server_ciphers on;
+
+   ssl_certificate /var/lib/dehydrated/certs/${FQHN}/fullchain.pem;
+   ssl_certificate_key /var/lib/dehydrated/certs/${FQHN}/privkey.pem;
+
+   location / {
+      #proxy_pass           http://localhost:9001/;
+      proxy_pass           http://etherpad-lite;
+      proxy_set_header     Host \$host;
+      proxy_pass_header    Server;
+      # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+      proxy_buffering      off;
+      proxy_set_header     X-Real-IP \$remote_addr;  # http://wiki.nginx.org/HttpProxyModule
+      proxy_set_header     X-Forwarded-For \$remote_addr; # EP logs to show the actual remote IP
+      proxy_set_header     X-Forwarded-Proto \$scheme; # for EP to set secure cookie flag when https is used
+      proxy_set_header     Host \$host;  # pass the host header
+      proxy_http_version   1.1;  # recommended with keepalive connections
+      # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
+      proxy_set_header     Upgrade \$http_upgrade;
+      proxy_set_header     Connection \$connection_upgrade;
+
+   }
+
+   access_log  /var/log/nginx/${HOSTNAME}.access.log;
+   error_log   /var/log/nginx/${HOSTNAME}.error.log;
+}
+EOF
+
+# Enable new etherpad site
+#
+ln -s ../sites-available/${FQHN}.conf /etc/nginx/sites-enabled/
+
+# Restart NGINX servive
+#
+systemctl restart nginx
+
+
+# -----
+# Configure etherpad
+# ----
+
+# Install abiword
+#
+#  Abiword is needed to get advanced import/export features of pads. Setting
+#  it to null disables Abiword and will only allow plain text and HTML
+#  import/exports.
+#
+apt-get install abiword
+
+cp -a /var/www/etherpad/etherpad-lite/settings.json /var/www/etherpad/etherpad-lite/settings.json.ORIG
+
+# Edit settings file 'vim /var/www/etherpad/etherpad-lite/settings.json'
+#
+# 1.) enable abiword
+#    change
+#       "abiword": null,
+#     to
+#    "abiword": /usr/bin/abiword,
+#
+# 2.) Uncomment section '"users": {' and set password to make admin settings page
+#     available - https://${FQHN}/admin
+#
+# 3.) To suppress these warning messages change 'suppressErrorsInPadText' to true      
+#
+vim /var/www/etherpad/etherpad-lite/settings.json
+
+# Install the foollowing plugins via admin page
+#
+#    - adminpads2
+#    - delete_after_delay
+#    - delete_empty_pads
+#    - fileupload
+#    - font_color
+#    - font_family
+#    - font_size
+#    - headings2
+#    - pad_title
+#    - printer
+#    - et_title_on_pad
+#    - subscript_and_superscript
+
+
+# Plugin delete_after_delay
+#
+# Add foolowing code to settings.json
+#
+#    "ep_delete_after_delay": {
+#        "delay": 86400, // one day, in seconds
+#        "loop": true,
+#        "loopDelay": 3600, // one hour, in seconds
+#        "deleteAtStart": true,
+#        "text": "The content of this pad has been deleted since it was older than the configured delay."
+#    },
+#
+vim /var/www/etherpad/etherpad-lite/settings.json